Introduction
Sometimes, we may hesitate about whether it is convenient to expose the port of a database or any other service to the Internet for remote connection and management. Exposing a port like this is similar to letting thieves see the door and lock of a house; all they need is a skilled "locksmith" to unlock it sooner or later.
We all know that using just a username and password is not enough for a secure system. There are many ways for users to unknowingly lose their credentials. Nowadays, login systems have added features such as two-factor authentication, one-time password (OTP) login, or even login using secret keys created by complex algorithms to provide better security for users.
SSH (Secure Shell) is a protocol used for remote login and administration of devices, as well as for transferring files over unreliable networks. It is safe to say that SSH is the most widely used protocol for logging in and controlling another computer over the Internet. SSH becomes powerful because, in addition to using usernames and passwords, it also supports the use of SSH keys, making it extremely difficult to crack.
When we have an SSH session, we have the privilege to operate the server with the same permissions as the user set up in the system. This includes mapping any TCP/IP port of the server to the personal computer. This feature is called SSH Tunneling, and in this article, we will learn more about SSH Tunneling.
What is SSH Tunneling?
The term "tunnel" in English refers to an underground passage. True to its name, SSH Tunneling diggs a "tunnel" through SSH.
Using SSH Tunneling, we can forward any TCP/IP port from the server to the client and secure that connection.
For example, suppose we have a server A at IP address x.x.x.x that has MySQL Server installed using port 3306. A has configured not to expose port 3306 to the outside world. This means that only A can connect to the MySQL server.
However, using SSH Tunneling to dig a "tunnel" to forward port 3306 of A to some port on machine B is entirely feasible. In other words, we can indirectly connect to A through B.
To do this, of course, we must have an SSH session to A in order to establish the Tunneling.
Benefits of Using SSH Tunneling
SSH Tunneling has certain benefits for different user groups.
For individual users, SSH Tunneling can be a solution to connect to remote server applications quickly and easily while still ensuring security over untrusted networks. No need to open ports on the Internet, no need to set up a virtual private network…
For enterprise environments, SSH Tunneling is widely used in computer systems through software built on top of it. But overall, its purpose is still to connect applications within a computer system [reference].
Limitations
While the network benefits are significant, SSH Tunnels come with risks.
SSH connections are heavily encrypted, which unintentionally makes it difficult for network monitoring tools to observe the data inside the "tunnel". If an attacker takes advantage of this to steal data, it can be very dangerous.
Using SSH Tunneling, it is easy to set up port forwarding to bypass blocked ports from the firewall to another machine. Most firewalls provide little or no protection against this.
Because SSH tunnel setup is simply done with a single command, malware can silently install code to execute on the server for malicious purposes.
SSH Tunnel attacks also aim to be anonymous. Attackers who somehow gain access to the victim's servers will create a Tunneling and control them remotely. These servers will be used for large-scale attacks, such as DDOS. In fact, there have been reports of millions of IoT devices being attacked and exploited using this method [reference].
Overcoming Limitations
To prevent the risks caused by SSH Tunneling, operators need to have the ability to monitor, control, and inspect encrypted SSH connections. Proper configuration and enhanced security of the operating system on IoT devices are also necessary.
Setting up SSH Tunnels
Local Forwarding
Suppose you want to forward port 3306 of server A with IP address x.x.x.x to port 3307 of machine B with IP address z.z.z.z:
$ ssh -L 3307:z.z.z.z:3306 [email protected]
With [email protected] being the command to log into the server using SSH.
Now, any connection to z.z.z.z:3307 will be equivalent to x.x.x.x:3306.
Similarly, if you want to forward port 3306 of server A to your local computer:
$ ssh -L 3307:127.0.0.1:3306 [email protected]
By default, Tunneling commands will keep the session, and you will see the terminal holding a connection to the server. To run Tunneling in the background, add the -N -f options:
$ ssh -L 3307:z.z.z.z:3306 -N -f [email protected]
Remote Forwarding
Suppose you want to forward port 80 of server A with IP address x.x.x.x to port 8080 on your local machine:
$ ssh -R 80:localhost:8080 [email protected]
With [email protected] being the information to log into the server using SSH.
By default, Remote Forwarding is turned off on the server. To use this feature, you need to change the GatewayPorts no configuration to GatewayPorts yes in the regular SSH configuration file sshd_config located at /etc/ssh/sshd_config.
Alternatively, set GatewayPorts clientspecified to specify a new IP address with forwarding rights.
$ ssh -R z.z.z.z:80:localhost:8080 [email protected]
This only allows IP z.z.z.z to forward port 80 of A to port 8080 on the local machine.
Conclusion
SSH Tunneling, or port-forwarding, is a solution to forward the port of one machine to another machine through an SSH-dug "tunnel", ensuring high reliability.
SSH Tunneling brings many benefits but also comes with risks. Preventing these risks requires system operators with the ability to monitor the system.
Setting up SSH Tunnels is straightforward, with just a single command.